From e4608715e6e1dd2adc91982fd151d5ba4f761d69 Mon Sep 17 00:00:00 2001 From: Carlos O'Donell Date: Fri, 19 Jul 2013 02:42:03 -0400 Subject: [PATCH] CVE-2013-2207, BZ #15755: Disable pt_chown. The helper binary pt_chown tricked into granting access to another user's pseudo-terminal. Pre-conditions for the attack: * Attacker with local user account * Kernel with FUSE support * "user_allow_other" in /etc/fuse.conf * Victim with allocated slave in /dev/pts Using the setuid installed pt_chown and a weak check on whether a file descriptor is a tty, an attacker could fake a pty check using FUSE and trick pt_chown to grant ownership of a pty descriptor that the current user does not own. It cannot access /dev/pts/ptmx however. In most modern distributions pt_chown is not needed because devpts is enabled by default. The fix for this CVE is to disable building and using pt_chown by default. We still provide a configure option to enable hte use of pt_chown but distributions do so at their own risk. --- ChangeLog | 21 +++++++++++++++++++++ INSTALL | 12 ++++++++++++ NEWS | 9 ++++++++- config.h.in | 3 +++ config.make.in | 1 + configure | 16 ++++++++++++++++ configure.in | 10 ++++++++++ login/Makefile | 8 +++++++- manual/install.texi | 14 ++++++++++++++ sysdeps/unix/grantpt.c | 8 +++++--- sysdeps/unix/sysv/linux/grantpt.c | 5 +++-- 11 files changed, 100 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index e709aca1a1..49c346d20a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,24 @@ +2013-07-21 Siddhesh Poyarekar + Andreas Schwab + Roland McGrath + Joseph Myers + Carlos O'Donell + + [BZ #15755] + * config.h.in: Define HAVE_PT_CHOWN. + * config.make.in (build-pt-chown): New variable. + * configure.in (--enable-pt_chown): New configure option. + * configure: Regenerate. + * login/Makefile: Include Makeconfig. Build pt_chown only if + build-pt-chown is enabled. + * sysdeps/unix/grantpt.c (grantpt) [HAVE_PT_CHOWN]: Spawn + pt_chown to fix pty ownership. + * sysdeps/unix/sysv/linux/grantpt.c [HAVE_PT_CHOWN]: Define + CLOSE_ALL_FDS. + * manual/install.texi (Configuring and compiling): Mention + --enable-pt_chown. Add @findex for grantpt. + * INSTALL: Regenerate. + 2013-07-20 David S. Miller * sysdeps/sparc/fpu/libm-test-ulps: Update ULPs to handle minor diff --git a/INSTALL b/INSTALL index 721a7fc10c..2c61704b8f 100644 --- a/INSTALL +++ b/INSTALL @@ -136,6 +136,18 @@ will be used, and CFLAGS sets optimization options for the compiler. `--enable-lock-elision=yes' Enable lock elision for pthread mutexes by default. +`--enable-pt_chown' + The file `pt_chown' is a helper binary for `grantpt' (*note + Pseudo-Terminals: Allocation.) that is installed setuid root to + fix up pseudo-terminal ownership. It is not built by default + because systems using the Linux kernel are commonly built with the + `devpts' filesystem enabled and mounted at `/dev/pts', which + manages pseudo-terminal ownership automatically. By using + `--enable-pt_chown', you may build `pt_chown' and install it + setuid and owned by `root'. The use of `pt_chown' introduces + additional security risks to the system and you should enable it + only if you understand and accept those risks. + `--build=BUILD-SYSTEM' `--host=HOST-SYSTEM' These options are for cross-compiling. If you specify both diff --git a/NEWS b/NEWS index c39157da61..4b2d5ca6d6 100644 --- a/NEWS +++ b/NEWS @@ -21,7 +21,14 @@ Version 2.18 15395, 15405, 15406, 15409, 15416, 15418, 15419, 15423, 15424, 15426, 15429, 15431, 15432, 15441, 15442, 15448, 15465, 15480, 15485, 15488, 15490, 15492, 15493, 15497, 15506, 15529, 15536, 15553, 15577, 15583, - 15618, 15627, 15631, 15654, 15655, 15666, 15667, 15674, 15711. + 15618, 15627, 15631, 15654, 15655, 15666, 15667, 15674, 15711, 15755. + +* CVE-2013-2207 Incorrectly granting access to another user's pseudo-terminal + has been fixed by disabling the use of pt_chown (Bugzilla #15755). + Distributions can re-enable building and using pt_chown via the new configure + option `--enable-pt_chown'. Enabling the use of pt_chown carries with it + considerable security risks and should only be used if the distribution + understands and accepts the risks. * CVE-2013-0242 Buffer overrun in regexp matcher has been fixed (Bugzilla #15078). diff --git a/config.h.in b/config.h.in index 6284e2a99b..a85f131255 100644 --- a/config.h.in +++ b/config.h.in @@ -238,4 +238,7 @@ /* The ARM hard-float ABI is being used. */ #undef HAVE_ARM_PCS_VFP +/* The pt_chown binary is being built and used by grantpt. */ +#undef HAVE_PT_CHOWN + #endif diff --git a/config.make.in b/config.make.in index b01b70be2b..7b04568a22 100644 --- a/config.make.in +++ b/config.make.in @@ -95,6 +95,7 @@ link-obsolete-rpc = @link_obsolete_rpc@ build-nscd = @build_nscd@ use-nscd = @use_nscd@ build-hardcoded-path-in-tests= @hardcoded_path_in_tests@ +build-pt-chown = @build_pt_chown@ # Build tools. CC = @CC@ diff --git a/configure b/configure index 59a69f634f..1ee4c42003 100755 --- a/configure +++ b/configure @@ -647,6 +647,7 @@ multi_arch base_machine add_on_subdirs add_ons +build_pt_chown build_nscd link_obsolete_rpc libc_cv_nss_crypt @@ -756,6 +757,7 @@ enable_obsolete_rpc enable_systemtap enable_build_nscd enable_nscd +enable_pt_chown with_cpu ' ac_precious_vars='build_alias @@ -1421,6 +1423,7 @@ Optional Features: --enable-systemtap enable systemtap static probe points [default=no] --disable-build-nscd disable building and installing the nscd daemon --disable-nscd library functions will not contact the nscd daemon + --enable-pt_chown Enable building and installing pt_chown Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -3711,6 +3714,19 @@ else fi +# Check whether --enable-pt_chown was given. +if test "${enable_pt_chown+set}" = set; then : + enableval=$enable_pt_chown; build_pt_chown=$enableval +else + build_pt_chown=no +fi + + +if test $build_pt_chown = yes; then + $as_echo "#define HAVE_PT_CHOWN 1" >>confdefs.h + +fi + # The way shlib-versions is used to generate soversions.mk uses a # fairly simplistic model for name recognition that can't distinguish # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os diff --git a/configure.in b/configure.in index 4db1acf115..769e8eff66 100644 --- a/configure.in +++ b/configure.in @@ -353,6 +353,16 @@ AC_ARG_ENABLE([nscd], [use_nscd=$enableval], [use_nscd=yes]) +AC_ARG_ENABLE([pt_chown], + [AS_HELP_STRING([--enable-pt_chown], + [Enable building and installing pt_chown])], + [build_pt_chown=$enableval], + [build_pt_chown=no]) +AC_SUBST(build_pt_chown) +if test $build_pt_chown = yes; then + AC_DEFINE(HAVE_PT_CHOWN) +fi + # The way shlib-versions is used to generate soversions.mk uses a # fairly simplistic model for name recognition that can't distinguish # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os diff --git a/login/Makefile b/login/Makefile index 0bfe643136..430c6d93d6 100644 --- a/login/Makefile +++ b/login/Makefile @@ -30,9 +30,15 @@ routines := getlogin getlogin_r setlogin getlogin_r_chk \ CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"' -others = utmpdump pt_chown +others = utmpdump + +include ../Makeconfig + +ifeq (yes,$(build-pt-chown)) +others += pt_chown others-pie = pt_chown install-others-programs = $(inst_libexecdir)/pt_chown +endif subdir-dirs = programs vpath %.c programs diff --git a/manual/install.texi b/manual/install.texi index 0c05f51bbb..4575d22319 100644 --- a/manual/install.texi +++ b/manual/install.texi @@ -163,6 +163,20 @@ so that they can be invoked directly. @item --enable-lock-elision=yes Enable lock elision for pthread mutexes by default. +@pindex pt_chown +@findex grantpt +@item --enable-pt_chown +The file @file{pt_chown} is a helper binary for @code{grantpt} +(@pxref{Allocation, Pseudo-Terminals}) that is installed setuid root to +fix up pseudo-terminal ownership. It is not built by default because +systems using the Linux kernel are commonly built with the @code{devpts} +filesystem enabled and mounted at @file{/dev/pts}, which manages +pseudo-terminal ownership automatically. By using +@samp{--enable-pt_chown}, you may build @file{pt_chown} and install it +setuid and owned by @code{root}. The use of @file{pt_chown} introduces +additional security risks to the system and you should enable it only if +you understand and accept those risks. + @item --build=@var{build-system} @itemx --host=@var{host-system} These options are for cross-compiling. If you specify both options and diff --git a/sysdeps/unix/grantpt.c b/sysdeps/unix/grantpt.c index d37da13506..431be855a3 100644 --- a/sysdeps/unix/grantpt.c +++ b/sysdeps/unix/grantpt.c @@ -173,9 +173,10 @@ grantpt (int fd) retval = 0; goto cleanup; - /* We have to use the helper program. */ + /* We have to use the helper program if it is available. */ helper:; +#ifdef HAVE_PT_CHOWN pid_t pid = __fork (); if (pid == -1) goto cleanup; @@ -190,9 +191,9 @@ grantpt (int fd) if (__dup2 (fd, PTY_FILENO) < 0) _exit (FAIL_EBADF); -#ifdef CLOSE_ALL_FDS +# ifdef CLOSE_ALL_FDS CLOSE_ALL_FDS (); -#endif +# endif execle (_PATH_PT_CHOWN, basename (_PATH_PT_CHOWN), NULL, NULL); _exit (FAIL_EXEC); @@ -231,6 +232,7 @@ grantpt (int fd) assert(! "getpt: internal error: invalid exit code from pt_chown"); } } +#endif cleanup: if (buf != _buf) diff --git a/sysdeps/unix/sysv/linux/grantpt.c b/sysdeps/unix/sysv/linux/grantpt.c index 0a3cd472fa..8cebde36ed 100644 --- a/sysdeps/unix/sysv/linux/grantpt.c +++ b/sysdeps/unix/sysv/linux/grantpt.c @@ -11,7 +11,7 @@ #include "pty-private.h" - +#if HAVE_PT_CHOWN /* Close all file descriptors except the one specified. */ static void close_all_fds (void) @@ -38,6 +38,7 @@ close_all_fds (void) __dup2 (STDOUT_FILENO, STDERR_FILENO); } } -#define CLOSE_ALL_FDS() close_all_fds() +# define CLOSE_ALL_FDS() close_all_fds() +#endif #include